CVE-2026-42366 PUBLISHED

GeoVision LPC2011/LPC2211 Web Interface / ssi.cgi reflected cross-site scripting (XSS) vulnerabilities

Assigner: GV
Reserved: 26.04.2026 Published: 04.05.2026 Updated: 04.05.2026

Multiple reflected cross-site scripting (xss) vulnerabilities exist in the Web Interface / ssi.cgi functionality of GeoVision LPC2011/LPC2211 1.10. A specially crafted malicious url can lead to an arbitrary javascript code execution. An attacker can provide a crafted URL to trigger this vulnerability.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
CVSS Score: 7.4

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	High
Privileges Required	None	Integrity Impact	None
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	GeoVision Inc.
Product	GV-LPC2011/LPC2211
Versions	Default: unaffected Version V1.10 is affected Version V1.20 is unaffected

Solutions

GeoVision GV-LPC2011/LPC2211 V1.12-260330 has patched the reported vulnerability.

The user may visit GeoVision website or contact GeoVision Support team for firmware update.

Credits

Philippe Laulheret of Cisco Talos. finder
Kelly Patterson of Cisco Talos. remediation reviewer
Martin Zeiser of Cisco Talos. coordinator

References

Problem Types

CWE-79 Improper neutralization of input during web page generation ('cross-site scripting') CWE

Impacts

CAPEC-63 Cross-Site Scripting (XSS)